IcedID operators were observed diversifying their attack tactics

October 17, 2022
20221017-IcedIDMalwareDiversifyingAttackTacticsC2C

The IcedID malware operators are found diversifying their attack tactics to determine which one is more effective for their campaigns. These findings are discovered by security researchers on the threat group’s observed campaigns for September 2022, wherein the attacks seem to follow slightly different attack vectors for evaluating each efficiency.

Five different attack delivery methods were observed for the IcedID group between September 13 and September 21; all were delivered using Italian or English. Researchers also said there were signs of inaccuracy with the IcedID group’s C2 server management after noticing changes in their recent attack campaigns.

 

Delivery methods using an LNK file were proven more effective for the IcedID operators.

 

From the five different attack delivery methods observed by the IcedID operators, researchers conclude that using an LNK file to distribute the malicious payload to the victims’ devices was the most effective.

The next most effective method was through PrivateLoader campaigns, wherein the malicious operators employed gaming or software crack lures to their targets to spread malware. Meanwhile, the delivery method utilising CHM files is the least effective.

IcedID operators also experimented with their use of domains and IP addresses for their command-and-control (C2) servers. According to the analysts, the group has always used unique IPs for their past campaigns, which has changed from their recent campaigns.

Researchers have also noted that the group’s IPs have a shorter lifespan for their C2s, compared with how they had an average peak of 31 days previously. Because of these observations, the researchers believe that the group is now nonchalant with their approaches, likely because of how they are testing the waters for their attack delivery methods.

Despite these significant findings, researchers state that people must not take the threats of IcedID malware lightly. Since the group and their payload are still sophisticated and could lead to massive harm, users are still advised to avoid engaging with suspicious emails, which could be phishing attempts from the IcedID operators or other threat actors.

The campaigns of IcedID malware were first detected in 2017. Initially, the group spread a modular banking trojan against their victims, eventually becoming a malware dropper used to gain initial access to corporate servers.

About the author